u/PlainPrivacyHQ

▲ 0 r/gdpr

Under GDPR, what counts as "consent withdrawal being as easy as giving consent"?

I'm developing an evidence-based website privacy review methodology and came across an interesting edge case. I'd appreciate opinions from people familiar with GDPR and cookie consent.

During testing of a large website, I observed the following:

• On first visit, the cookie banner offered both Accept All and Reject Non-Essential.

• The banner also included a "Manage your cookie preferences anytime" link, which opened a preference center before any consent choice was made.

• After accepting or rejecting cookies, I could no longer find a reasonably discoverable way to reopen the preference center.

I checked the homepage, footer, Privacy Policy, and other obvious privacy-related links but couldn't find it.

My understanding of the GDPR is that withdrawing consent should be as easy as giving it. However, I'm trying to separate legal requirements from my own assumptions.

My question is:

If the preference center is available before consent but is no longer reasonably discoverable afterward, would you consider that compatible with the GDPR? Or is there guidance or case law suggesting otherwise?

I'm interested in evidence-based answers, including EDPB guidance, DPA decisions, or relevant case law if anyone knows of them.

reddit.com
u/PlainPrivacyHQ — 9 days ago

Your cookie banner is probably not actually working

PSA: Most WordPress cookie banners aren't actually blocking scripts

​

Seen this on a lot of sites recently so thought it was worth posting.

​

Installing a consent management plugin doesn't automatically block non-essential scripts. A lot of implementations just display the banner visually while analytics and advertising cookies fire on page load before any user interaction.

​

Quick way to check your own setup:

​

Open the site in a private browser. Open DevTools. Go to Application then Cookies. Check what's present before interacting with the banner at all.

​

If you see \_ga or \_fbp loading before consent is given that's a violation of Article 5(3) ePrivacy Directive regardless of how compliant your banner looks visually.

​

The Auto Blocker setting in most CMPs fixes this but it's often disabled by default.

​

Happy to answer any questions.

reddit.com
u/PlainPrivacyHQ — 21 days ago